Identity Authentication and Authorization Adapter

Computing resources (e.g., hardware resources, software resources) may be deployed as part of a cloud environment. Access to resources in a cloud environment is often subjected to at least some form of access control, through which users may be authenticated, and authenticated users may be authorized to access at least some portion of the computing resources in the cloud environment.

The figures are drawn to illustrate various aspects of the disclosure and are not necessarily drawn to scale.

The following disclosure provides many different examples for implementing different features. Specific examples of components and arrangements are described below to simplify the present disclosure. These are, of course, merely examples and are not intended to be limiting.

Entities may seek an environment of computing resources for performing various tasks, operations, activities, and the like, and/or in which various applications, services, and the like may be operated and/or provided. Such an environment may be referred to as a cloud environment. Resources in a cloud environment may be obtained, for example, from a cloud services provider, which may provide hardware resources, software resources, management services, and/or any other relevant components and/or services to be deployed as the cloud environment. In some circumstances, such entities may seek to retain at least some degree of control over such an environment by having at least some control of the physical computing resources (e.g., computing devices, network devices, storage devices, management devices, and the like) and/or logical resources (e.g., software, applications, services, container platforms, management techniques, and the like). An environment in which such an entity maintains such control may be referred to as a private cloud. In one or more examples, a private cloud is an environment in which all or any portion of physical and/or logical computing resources are managed, used, or otherwise maintained by a particular entity (e.g., a company) or set of entities and are intended for the use of the entity or set of entities that maintain the private cloud.

As an example, a particular entity may seek and acquire physical components, such as computing devices, networking equipment, storage devices, infrastructure components, and other components, such as management software, applications, services, other software, and the like from a provider of such resources, and deploy the resources at one or more physical sites as a private cloud. A private cloud may include external network connections (e.g., a connection to the Internet) through which a connection to an external entity, referred to herein as a cloud services provider or private cloud provider, may exist, and through which the private cloud provider may provide private cloud services such as management services, software updates, software lifecycle management services, device lifecycle management services, health monitoring, and the like. In other scenarios, a private cloud may be a disconnected private cloud, where the computing resources maintained by the entity exist at one or more physical locations, and are not connected to an external network, such as the Internet.

In one or more examples, to facilitate use of a private cloud, a private cloud provider may provide a private cloud platform, through which administrators and users of the private cloud may manage, use, and/or otherwise interact with computing resources of the private cloud. In one or more examples, a private cloud platform may use techniques for authentication and authorization of users and other entities (e.g., software services) to use the resources therein. As an example, users of resources in a private cloud may require access to and/or authorization for using services provided by a private cloud provider as part of the private cloud platform (e.g., access to and/or use of a virtual machine as-a-service (VMaaS) service, a bare metal as-a-service (BMaaS) service, and the like), and may also require access and/or authorization to use other applications, services, and the like deployed within the private cloud. Additionally, within a private cloud, certain services (e.g., VMaaS) may, from time to time, be configured to access and/or use other services (e.g., VM backup services). In one or more examples, a user attempting to access services and/or resources within a private cloud may require using one or more particular identity access management (IAM) system (e.g., PingFederate), while services attempting to access other services may require using a different IAM system (e.g., Keycloak).

In such a scenario, it may be complicated to perform authentication and/or authorization of a user using one or more IAM services, while at the same time having to use a different IAM service for certain services to access and/or use other services. Examples disclosed herein address such challenges by implementing a single authentication and authorization adapter that is configured to receive incoming requests for authentication and authorization, and to provide a response thereto by directing the request to an IAM system that appropriately corresponds to the request (e.g., a particular IAM system for a user request, and a different IAM system for a service request). In one or more examples, the authentication and authorization adapter may simplify the authorization and authentication of entities for accessing resources and/or performing actions within a private cloud by allowing private cloud services to interact with the authentication and authorization adapter, regardless of which IAM system in the private cloud is responsible to approving or denying the access and/or actions.

In one or more examples, when a user accesses a private cloud platform, the user may be authenticated by a first IAM system (e.g., PingFederate) of the private cloud platform, and the user may be issued an incoming request token from the first IAM system (which may be referred to as an issuer) implemented within the private cloud platform. When a user attempts to access a resource, such as a BMaaS service, within a private cloud (e.g., by accessing a web-based interface and accessing a link to a service), the incoming request token may be provided to the private cloud service that the user is attempting to access. The service that the user is attempting to access (e.g., BMaaS) may either have, or takes steps to obtain, an app token. An app token may be a token that includes information that allows the service to be validated. The service may then provide the incoming request token, the app token, and a set of one or more requested actions that the user is attempting to perform (e.g., read a configuration, modify a configuration, delete a configuration, and the like) to the authentication and authorization adapter. In one or more examples, the authentication and authorization adapter uses the app token to validate the service from which the app token was provided. When the service is validated via the app token, the authentication and authorization adapter may assess the incoming request token to determine that the incoming request token is a user token, based on an assessment of an issuer field within the token. In one or more examples, in the case of a user token, the issuer will be a user identity provider of the private cloud platform (e.g., PingFederate). Based on the issuer of the incoming request token indicating that the token is a user token, the authentication and authorization adapter may send an authentication and authorization request to the first IAM service, which authenticates the identity of the user, and authorizes or denies the action that the user is attempting to perform.

When a service (which may be referred to as a requesting service) within a private cloud seeks to invoke the use of another service (e.g., when a VMaaS service seeks to invoke a VM backup service), the requesting service may also need to be authenticated and authorized to perform such an action. To that end, in some implementations, the requesting service may seek or otherwise be provided an incoming request token that is a service token. Provided that the service is valid, the incoming request token may be issued to the requesting service as a service token, which may be issued by a different IAM service (as the issuer) than that which issues a user token (e.g., the service token may be issued by Keycloak rather than PingFederate). Once the service has obtained the service token, the service token may be provided from the requesting service (e.g., VMaaS) to another service (e.g., a backup service) from which some action is requested (e.g., perform a backup). In one or more examples, the service that the requesting service is attempting to access (which may be referred to as a requested service) either has, or takes steps to obtain, an app token. The requested service may then provide the incoming request token (in this case, the service token from the requesting service), the app token corresponding to the requested service, and a set of one or more actions that the requesting service is requesting the requested service to perform, to the authentication and authorization adapter. In some implementations, the to the authentication and authorization adapter uses the app token to validate the service from which the app token was provided. In other implementations, app token may instead be validated by the service identity provider instead of the authentication and authorization adapter. In one or more examples, when the requested service is validated via the app token, the authentication and authorization adapter assesses the incoming request token to determine that the incoming request token is a service token, based on an assessment of an issuer field within the token. In the case of a service token, the issuer may be a service identity provider of the private cloud platform (e.g., Keycloak). In one or more examples, based on the issuer of the incoming request token indicating that the token is a service token, the authentication and authorization adapter sends an authentication and authorization request to a second IAM service (e.g., Keycloak), which authenticates the identity of the service from which the request was issued, and authorizes or denies the action that the service is attempting to perform. In some scenarios, the second IAM service may also receive and assess the app token to authenticate the requested service.

Thus the authentication and authorization adapter may be configured to be the entity to which requests in a private cloud are provided to determine whether the requesting entity (e.g., a user or a service) is authenticated and/or authorized to perform whatever action is being requested. In one or more examples, the authentication and authorization adapter is configured to assess an incoming request token associated with the requesting entity to determine whether the incoming request token is a user token or a service token (e.g., by assessing an issuer field within the token). In some implementations, the authentication and authorization adapter is configured to provide the incoming request token, and the set of one or more actions being requested to one of a plurality on IAM systems, with the particular IAM system to which the authentication and authorization adapter sends the request being determined by the type or token associated with the requesting entity.

1 FIG. 1 FIG. 100 100 102 104 106 108 110 112 114 shows a block diagram of a private cloudin accordance with one or more examples disclosed herein. As shown in, the private cloudincludes a private cloud requesting service, a private cloud user interface (UI), one or more private cloud service component(s), and app credentials vault, an authentication and authorization adapter, a private cloud user access system, and a private cloud service access system. Each of these components is described below.

100 100 100 100 100 100 1 FIG. 1 FIG. In one or more examples, the private cloudis a cloud environment deployed for and used by one entity or a particular set of entities. In one or more examples, a cloud environment is a collection of compute resources (e.g., computing devices, network devices, storage devices, various types of software, and the like). As an example, a particular entity, such as a company, may seek to have a cloud environment that employees of the company use for various purposes and/or through which the company provides various services to users. The example private cloudshown inshows portions of the private cloudthat relate to authentication and authorization of users and services of the private cloudto access, invoke, or otherwise use various resources of the private cloud, with other portions of the private cloud(e.g., various computing devices, network devices, storage devices, management devices, and the like) not shown in.

100 100 104 A private cloud (e.g., the private cloud) may be configured to provide computing resources on-demand to users of the private cloud. To that end, an entity for which the private cloudis deployed may obtain a private cloud platform (e.g., from a private cloud provider), which may include a user interface (e.g., a web-based graphical UI), such as the private cloud user UI(discussed below) which users of the entity may interact with to obtain access to the computing resources of the private cloud.

100 100 100 100 102 In one or more examples, within the private cloud, any number of services may exist to facilitate the functionality of the private cloud(e.g., VMaaS, BMaaS, monitoring services, security services, network services, storage services, backup services, file and object services, and the like). All or any portion of such services may be provided, for example, by a private cloud provider. In one or more examples, from time to time, such services are configured to invoke other services (e.g., VMaaS may invoke backup services, BMaaS may invoke monitoring services, and the like). In one or more examples, any service of the private cloudthat invokes another service of the private cloudmay be referred to as the private cloud requesting service.

100 104 104 100 104 100 100 104 5 FIG. 6 FIG. In one or more examples, the private cloudmay include the private cloud user interface. In one or more examples, the private cloud user UIis provided from a private cloud provider as part of a private cloud platform, through which users of the private cloud access resources of the private cloud. As an example, the private cloud user UImay be a web-based UI that users of the private cloudaccess as a starting point for accessing resources of the private cloud. In one or more examples, the private cloud user UIis implemented, at least in part, on a computing device. In one or more examples, as used herein, a computing device may be any single computing device, a set of computing devices, a portion of one or more computing devices, or any other physical, virtual, and/or logical grouping of computing resources. Non-limiting examples of a computing device are shown inandwhich are described below. In one or more examples, a computing device may be any device of any type that is configured to host all or any portion of one or more applications, microservices, clustered environment services, storage services, network services, and/or any other computing function, which may include executing instructions, performing operations, executing functions, performing computations, and the like.

In one or more examples, a computing device is any device, portion of a device, or any set of devices capable of electronically processing instructions and may include, but is not limited to, any of the following: one or more processors (e.g. components that include circuitry), memory (e.g., random access memory (RAM)), input and output device(s), non-volatile storage hardware (e.g., solid-state drives (SSDs), persistent memory (Pmem) devices, hard disk drives (HDDs)), one or more physical interfaces (e.g., network ports, storage ports), any number of other hardware components, and/or any combination thereof.

Examples of computing devices include, but are not limited to, a server (e.g., a blade-server in a blade-server chassis, a rack server in a rack, a desktop server, any other type of server device), a desktop computer, a mobile device (e.g., laptop computer, smart phone, personal digital assistant, tablet computer, automobile computing system, and/or any other mobile computing device), a storage device (e.g., a disk drive array, a fibre channel storage device, an Internet Small Computer Systems Interface (iSCSI) storage device, a tape storage device, a flash storage array, a network attached storage device, any other type of storage device), a network device, a virtual machine, a virtualized computing environment, a logical container (e.g., for one or more applications), a container pod, an Internet of Things (IoT) device, an array of nodes of computing resources, a supercomputing device, a data center or any portion thereof, any combination of the aforementioned items, and/or any other type of computing device. As one of ordinary skill in the art will appreciate, any of the aforementioned examples of computing devices necessarily require at least some hardware components. As an example, a virtual machine, a container, and/or a container pod, when considered as a computing device herein, includes the underlying hardware on which the virtual machine, container, and/or a container pod executes.

In one or more examples, the storage and/or memory of a computing device or system of computing devices may be and/or include one or more data repositories for storing any number of data structures storing any amount of data (e.g., information). In one or more examples, a data repository is any type of storage unit and/or device (e.g., a file system, database, collection of tables, RAM, hard disk drive, solid state drive, and/or any other storage mechanism or medium) for storing data. Further, the data repository may include multiple different storage units and/or devices. The multiple different storage units and/or devices may or may not be of the same type or located at the same physical location.

Any storage and/or memory of a computing device or system of computing devices may be considered, in whole or in part, as non-transitory computer readable mediums storing software and/or firmware, which, when executed by one or more processors, cause the one or more processors to perform operations (e.g., execution of one or more computer programs) in accordance with one or more examples disclosed herein.

100 106 106 100 106 In one or more examples, the private cloudincludes the private cloud service component(s). The private cloud service component(s)may be any one or more services implemented within the private cloud. The private cloud service component(s)may be implemented using one or more computing devices (discussed above).

106 104 104 104 106 The private cloud service component(s)may be a service (e.g., VMaaS, BMaaS, and the like) that are invoked by a user through the private cloud user UI user. As an example, a user may navigate to the private cloud user UI, and view any number of services of the private cloud that are available to the user. In such a scenario, the user may, within the private cloud user UI, select a private cloud service componentto invoke that service.

106 100 102 102 106 The private cloud service component(s)may, in some implementations, within the private cloud, be invoked by other services. As an example, the private cloud requesting servicemay be a VMaaS service that is configured to backup any number of VMs every four hours. To that end, in one or more examples, the VMaaS service, as the private cloud requesting service, may invoke a VM backup service (e.g., the ‘requested service’) as the private cloud service componentto perform the scheduled backups.

100 108 106 106 106 108 In one or more examples, the private cloudincludes the app credentials vault. The app credentials vault may be a computing device (discussed above) that is configured to provide app credentials to a private cloud service componentso that the private cloud service componentmay request and receive an app token, which the private cloud service componentmay use to be validated by other components of the private cloud (e.g., an authentication and authorization adapter, a platform identity provider, an access system, and the like). App credentials, obtained from the app credentials vaultmay be any amount of information of any type that allows the validation of a private cloud service component, such as one or more identifiers, keys, secrets, and the like.

100 110 110 106 112 114 100 110 106 110 100 110 106 100 In one or more examples, the private cloudincludes the authentication and authorization adapter. The authentication and authorization adaptermay be a computing device (discussed above) that is configured to receive requests for authentication and authorization from the private cloud service component(s), and to interact with an appropriate access system (e.g., the private cloud user access system, the private cloud service access system) to allow or deny requests to access resources of the private cloud. The authentication and authorization adaptermay allow the private cloud service component(s)to have a common authorization flow, regardless of whether they are invoked by a user or by another service, as all requests are routed to the authentication and authorization adapter, which is configured to determine what access system to interact with in order to approve or deny a request to access resources of the private cloud. Thus, the authentication and authorization adaptermay simplify the process of authentication and authorization of services and users to access and use the private cloud service component(s)within the private cloud.

100 112 114 100 112 100 In one or more examples, the private cloudincludes the private cloud user access system, and the private cloud service access system. Each of these access systems may be implemented using a computing device (discussed above), and configured to provide authentication of and/or authorization for entities to access resources within the private cloud. The private cloud user access systemmay be configured to authenticate the identity of users, and to authorize users to access resources of the private cloud, which may include, for example, including constructs such as workspaces, which may define a common set of private cloud resources to which users have access, and/or roles which may define what actions a set of users may perform.

114 100 100 112 114 100 110 112 114 The private cloud service access systemmay be a separate access management system that is configured to manage access of services within a private cloud to perform various actions, including accessing and using other services, within the private cloud. Thus, for private cloud environments (e.g., the private cloud), there may exist any number of private cloud user access systems (e.g., the private cloud user access system) and any number of separate private cloud service access systems (e.g., the private cloud service access system). In one or more examples, rather than have each user interface, service, application, and the like within the private cloudseparately configured to comprehend how to interact with each of the disparate identity access management systems implemented therein, the various user interfaces, services, and applications may be configured to interact with the same authentication and authorization adapter (e.g., the authentication and authorization adapter), which, in turn, is configured to interact with the separate identity access management systems (e.g., the private cloud user access system, the private cloud service access system).

1 FIG. 1 FIG. Whileshows a particular configuration of devices and/or components, other configurations may be used without departing from the scope of examples described herein. Accordingly, examples disclosed herein should not be limited to the configuration of devices and/or components shown in.

2 FIG. is a flow diagram showing interactions between components of a private cloud using an authentication and authorization adapter for user access of private cloud resources, in accordance with one or more examples disclosed herein.

2 FIG. 1 FIG. 1 FIG. 100 202 204 204 202 204 202 204 202 112 As shown in, when attempting to access resources in a private cloud (e.g., the private cloudof), a usermay first launch a private cloud user UI. The private cloud user UImay be, for example, part of a private cloud platform provided by a private cloud provider. The usermay login to the private cloud user UIusing any appropriate technique, such as, for example, providing a username and password, any form of two factor authentication, and the like. When the usersuccessfully logs in to the private cloud user UI, the user may be issued a user token, which is one type of incoming request token. In one or more examples, the user token may include information that allows for verification of the identity of the user. The user token may be issued by a private cloud user access system (e.g., the private cloud user access systemof), such as, for example, PingFederate. The user token may include an issuer field, in which the private cloud user access system is identified as the issuer of the user token.

202 204 206 106 202 202 206 204 206 The user, via the private cloud user UI, may select to access a private cloud servicewithin the private cloud (e.g., one of the private cloud service component(s)) to perform one or more actions. As an example, a usermay access the BMaaS service of the private cloud to read a configuration of bare-metal resources within the private cloud. In one or more examples, when the userattempts to access the private cloud serviceto perform an action, the private cloud user UImay provide the user token to the private cloud service.

206 206 206 206 206 206 208 206 In response to receiving a request to perform an action, the private cloud servicemay obtain an app token. In one or more examples, an app token is a token, separate from the user token, that identifies the private cloud serviceand allows the private cloud serviceto be authenticated as a valid service to be requesting the action to be performed. An app token may be issued to a private cloud servicewhen the private cloud serviceis initially used, or after expiration of a time for which an app token remains valid. Once a private cloud service has an app token, the same app token may be used for any number of requests within a configured time period. In a scenario where the private cloud servicedoes not presently have a valid app token, the private cloud service may obtain app credentials from the app credentials vault, which may return the app credentials to the private cloud service.

206 210 212 206 In one or more examples, using the app credentials, the private cloud service may request an app token. In one or more examples, an app token is used as an item of information that validates the identity of the private cloud service. In one or more examples, the request for the app token is sent to the authentication and authorization adapter, which may interact with a private cloud user access systemto request and receive the app token for the private cloud service.

206 206 210 In one or more examples, once the private cloud servicehas been provided the app token, the private cloud servicemay transmit the user token, the app token, and a set of requested permissions (which may be referred to as a requested action set) to the authentication and authorization adapter.

210 212 210 In one or more examples, the authentication and authorization adaptermay assess the incoming request token (which is the user token in the present example), and determine an incoming request token type, which is based on the issuer of the incoming request token. The issuer may be determined via examination of an issuer field within the incoming request token. In the present example, the authentication and authorization adapter determines that the issuer of the incoming request token is a private cloud user access system, making the incoming request token type a user token. Accordingly, the authentication and authorization adaptermay send an access request to the private cloud user access system to determine whether the one or more actions being requested by the user is allowed or denied.

206 206 In one or more examples, the access request may include the user token, the requested action set (based on the requested permissions) and the app token. The private cloud user access system may assess the app token to validate the private cloud service, and, when the private cloud serviceis validated, assesses the user token and the requested action set to determine whether the user, who was previously validated in order to receive the user token, is authorized to perform whatever actions are included in the requested action set.

212 206 204 212 206 206 204 In one or more examples, when the user is not authorized to perform the requested actions (e.g., the user does not have permission to change the configuration of a mare-metal resource of a private cloud), the private cloud user access systemmay deny the request, and the denial may be returned to the private cloud service, which then provides an indication of failure of the requested action to the private cloud user UI. When the user is authorized to perform the requested actions (e.g., when the user has permission to view the bare metal configuration of resources in the private cloud), the private cloud user access systemmay allow the request, and the allowance may be returned to the private cloud service. In response to the allowance, the private cloud servicemay perform the requested actions, and return an indication of success to the private cloud user UI.

3 FIG. is a flow diagram showing interactions between components of a private cloud using an authentication and authorization adapter for service access of private cloud resources, in accordance with one or more examples disclosed herein.

3 FIG. 1 FIG. 304 100 304 302 304 302 302 302 302 As shown in, a private cloud service Bmay seek to invoke another service in a private cloud (e.g., the private cloudof), such as the private cloud service B. As an example, the private cloud service Amay be a VMaaS service, which is configured to backup various VMs via a backup service of the private cloud, which may be the private cloud service B. In such a scenario, the private cloud service Amay first request a service token. In one or more examples, a service token is a set of information that allows the private cloud service Ato be validated within the private cloud and to determine whether the private cloud service Ais authorized to perform whatever set of requested actions the private cloud service Ais attempting to perform.

302 310 212 302 2 FIG. In one or more examples, the private cloud service Arequests the service token from the private cloud service access system, which is a different access system than an access system implemented within the private cloud for authentication of and/or authorization for users within the private cloud (e.g., the private cloud user access systemof). The private cloud service access system (e.g., Keycloak) may provide the service token to the private cloud service A, which may then invoke other services of the private cloud using the service token.

302 304 114 1 FIG. In one or more examples, the private cloud service A(e.g., a VMaaS service) provides the service token to the private cloud service B(e.g., a VM backup service), along with a requested action set (e.g., to back up a set of VMs). In one or more examples, the service token is issued by a private cloud service access system (e.g., the private cloud service access systemof), such as, for example, Keycloak. In one or more examples, the service token includes an issuer field, in which the private cloud service access system is identified as the issuer of the service token.

304 304 304 304 304 304 306 304 In one or more examples, in response to receiving a request to perform an action, the private cloud service Bmay obtain an app token. In one or more examples, an app token is a token, separate from the service token, that identifies the private cloud service Band allows the private cloud service Bto be authenticated as a valid service to be requesting the action to be performed. An app token may be issued to a private cloud service Bwhen the private cloud service Bis initially used, or after expiration of a time for which an app token remains valid. Once a private cloud service has an app token, the same app token may be used for any number of requests within a configured time period. In a scenario where the private cloud service Bdoes not presently have a valid app token, the private cloud service may obtain app credentials from the app credentials vault, which may return the app credentials to the private cloud service B.

304 206 210 310 304 In one or more examples, using the app credentials, the private cloud service Bmay request an app token. In one or more examples, an app token is used as an item of information that validates the identity of the private cloud service. In one or more examples, the request for the app token is sent to the authentication and authorization adapter, which may interact with a private cloud service access systemto request and receive the app token for the private cloud service B.

304 304 308 In one or more examples, once the private cloud service Bhas been provided the app token, the private cloud service Bmay transmit the service token, the app token, and a set of requested permissions (which may be referred to as a requested action set) to the authentication and authorization adapter.

308 310 308 310 302 In one or more examples, the authentication and authorization adaptermay assess the incoming request token (which is the service token in the present example), and determine an incoming request token type, which is based on the issuer of the incoming request token. In one or more examples, the issuer is determined via examination of an issuer field within the incoming request token. In the present example, the authentication and authorization adapter determines that the issuer of the incoming request token is a private cloud service access system, making the incoming request token type a service token. Accordingly, the authentication and authorization adaptermay send an access request to the private cloud service access systemto determine whether the one or more actions being requested by the private cloud service Ais allowed or denied.

310 304 304 302 In one or more examples, the access request may include the service token, the requested action set (based on the requested permissions), and the app token. In one or more examples, the private cloud service access systemassesses the app token to validate the private cloud service B, and, when the private cloud service Bis validated, assesses the service token and the requested action set to determine whether the private cloud service A, which was previously validated in order to receive the service token, is authorized to perform whatever actions are included in the requested action set.

302 310 304 302 302 310 304 304 302 In one or more examples, when the private cloud service Ais not authorized to perform the requested actions (e.g., the service does not have permission to perform a VM backup), the private cloud service access systemmay deny the request, and the denial may be returned to the private cloud service B, which may then provide an indication of failure of the requested action to the private cloud service A. In one or more examples, when the private cloud service Ais authorized to perform the requested actions (e.g., when the service has permission to perform a VM backup), the private cloud service access systemmay allow the request, and the allowance may be returned to the private cloud service B. In response to the allowance, the private cloud service Bmay perform the requested actions, and return an indication of success to the private cloud service A.

2 FIG. 3 FIG. Thus, as can be seen via the examples shown inand, a user accessing services within a private cloud, and a service invoking another service within a private cloud, may be authenticated using different access systems to receive, respectively, a user token or a service token. In one or more examples, the architecture of the private cloud authentication and authorization techniques may be simplified by having requested actions within the private cloud, regardless of whether the actions are requested by a user or a service, sent to the same authentication and authorization adapter, which may determine if the requesting entity is a user or a service, and correspondingly direct the request to the appropriate access system based in the determination of the type of the incoming request token (e.g., user token or service token) provided by the requesting entity.

4 FIG. 400 illustrates an overview of an example methodfor using an authentication and authorization adapter to service requested action sets in a private cloud environment, in accordance with one or more examples disclosed herein.

400 100 300 110 210 308 1 FIG. 1 FIG. 2 FIG. 3 FIG. The methodmay be performed, at least in part, by one or more devices and/or components of a private cloud (e.g., the private cloudof). As such, all or any portion of the methodmay be performed, for example, by an authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof).

4 FIG. 4 FIG. 4 FIG. While the various steps in the flowchart shown inare presented and described sequentially, some or all of the steps may be executed in different orders, some or all of the steps may be combined or omitted, and some or all of the steps may be executed in parallel with other steps ofand/or steps not shown in.

402 400 104 204 202 304 302 110 210 308 1 FIG. 2 FIG. 2 FIG. 3 FIG. 3 FIG. 1 FIG. 2 FIG. 3 FIG. In Step, the methodincludes receiving, from a requesting entity and at an authentication and authorization adapter, an incoming request token, an app token, and a requested action set. In one or more examples, the requesting entity may be a private cloud user UI (e.g., the private cloud user UIof, the private cloud user UIof) that is being accessed by a user (e.g., the userof). In other examples, the requesting entity may be a private cloud service (e.g., the private cloud service Bof) that is requested to perform one or more actions by another service of a private cloud (e.g., the private cloud service Aof). In one or more examples, the incoming request token, an app token, and a requested action set may be received by an authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof).

112 212 114 310 1 FIG. 2 FIG. 1 FIG. 3 FIG. In one or more examples, the incoming request token may be a user token that is issued for a user by a private cloud user access system, such as PingFederate, (e.g., the private cloud user access systemof, the private cloud user access systemof). In one or more examples, the incoming request token may be issued for a private cloud service by a private cloud service access system (e.g., the private cloud service access systemof, the private cloud service access systemof). In one or more example, incoming request token may be for use in validating the identity of the requesting entity, the app token may be used for validating the private cloud service that is to perform the actions of the requested action set, and the requested action set may be a set of one or more actions that the requesting entity is requesting to perform.

404 400 110 210 308 1 FIG. 2 FIG. 3 FIG. In Step, the methodincludes validating, by the authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof), the requesting entity based on the app token. In one or more examples, the app token may be obtained by a private cloud service that has been requested to perform one or more actions by a user or by another service. In one or more examples, validating the requesting entity may be performed by the authentication and authorization adapter by providing the app token to an access service of the private cloud.

406 400 110 210 308 1 FIG. 2 FIG. 3 FIG. In Step, the methodincludes assessing, by the authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof), the incoming request token to determine an incoming request token type. In one or more examples, the incoming request token type is determined by the authentication and authorization adapter based on an issuer field within the incoming request token. In one or more examples, when the issuer field indicates that the incoming request token is issued by a private cloud user access system, the incoming request token type is a user token. In one or more examples, when the issuer field indicates that the incoming request token is issued by a private cloud service access system, the incoming request token type is a service token.

408 400 110 210 308 112 212 114 310 100 1 FIG. 2 FIG. 3 FIG. 1 FIG. 2 FIG. 1 FIG. 3 FIG. 1 FIG. In Step, the methodincludes providing, by the authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof), the incoming request token and the requested action set to a particular identity access management (IAM) system (e.g., the private cloud user access systemof, the private cloud user access systemof, the private cloud service access systemof, the private cloud service access systemof) of a plurality of IAM systems of a private cloud (e.g., the private cloudof) based on the incoming request token type. In one or more examples, the authentication and authorization adapter may also provide the app token to the particular IAM access system. In one or more examples, the particular IAM access system may assess the incoming token and the requested access set to determine whether the requesting entity is authorized to perform the one or more actions requested as part of the requested action set.

410 400 110 210 308 1 FIG. 2 FIG. 3 FIG. In Step, the methodincludes providing, by the authentication and authorization adapter (e.g., the authentication and authorization adapterof, the authentication and authorization adapterof, the authentication and authorization adapterof), an access response to the requesting entity based on an IAM response from the particular IAM system. In one or more examples, an access response includes an allowance or denial of all or any portion of the actions requested in the requested action set. In one or more examples, an IAM response includes a response provided to the authentication and authorization adapter from whichever IAM system was determined as the appropriate IAM system to receive the request based on the issuer field of the incoming request token.

5 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 2 FIG. 3 FIG. 4 FIG. 1 FIG. 2 FIG. 3 FIG. 4 FIG. 500 500 102 104 106 108 110 112 114 500 500 400 illustrates a block diagram of a computing device, in accordance with one or more examples disclosed herein. The computing devicemay be an example of the various computing devices (e.g., the private cloud requesting serviceof, the private cloud user UI userof, the private cloud service component(s)of, the app credentials vaultof, the authentication and authorization adapterof, the private cloud user access systemof, the private cloud service access systemof) described above and/or of the computing device, described below. As discussed above in the descriptions of,,, andthe computing devicemay be used to implement all or any portion of the various components shown in,, and/orand described above and/or to perform all or any portion of the methodshown inand described above.

500 502 504 504 502 500 500 400 504 502 4 FIG. The computing devicemay include one or more processorsand memory. The memorymay include a non-transitory computer-readable medium that stores programming for execution by one or more of the one or more processors. In this implementation, one or more modules within the computing devicemay be partially or wholly embodied as software for performing any functionality described in this disclosure. The computing devicemay be, for example, configured to perform the methodshown inand described above, by executing instructions included in the memoryand executed by the one or more processors.

504 506 402 4 FIG. For example, the memorymay include instructionsto receive, from a requesting entity and at an authentication and authorization adapter, an incoming request token, an app token, and a requested action set (e.g., as described above in reference to Stepof).

504 508 404 4 FIG. For example, the memorymay include instructionsto validate, by the authentication and authorization adapter, the requesting entity based on the app token (e.g., as described above in reference to Stepof).

504 510 406 4 FIG. For example, the memorymay include instructionsto assess, by the authentication and authorization adapter, the incoming request token to determine an incoming request token type (e.g., as described above in reference to Stepof).

504 512 408 4 FIG. For example, the memorymay include instructionsto provide, by the authentication and authorization adapter, the incoming request token and the requested action set to a particular identity access management (IAM) system of a plurality of IAM systems of a private cloud based on the incoming request token type (e.g., as described above in reference to Stepof).

504 512 410 4 FIG. For example, the memorymay include instructionsto provide, by the authentication and authorization adapter, an access response to the requesting entity based on an IAM response from the particular IAM system (e.g., as described above in reference to Stepof).

6 FIG. 6 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 1 FIG. 2 FIG. 3 FIG. 6 FIG. 600 102 104 106 108 110 112 114 600 600 illustrates a block diagram of a computing device, in accordance with one or more examples of this disclosure. As discussed above, examples described herein may be implemented, at least in part, using computing devices, and the computing deviceshown inmay be such a computing device. For example, all or any portion of the components shown in(e.g., the private cloud requesting serviceof, the private cloud user UIof, the private cloud service component(s)of, the app credentials vaultof, the authentication and authorization adapterof, the private cloud user access systemof, the private cloud service access systemof),, and/ormay be implemented, at least in part using a computing device such as the computing device, and may include all or any portion of the components of the computing deviceshown inand described below.

600 602 606 606 600 In one or more examples, a computing device (e.g., the computing device) is any device, portion of a device, or any set of devices capable of electronically processing instructions and may include, but is not limited to, any of the following: one or more processors (e.g. components that include circuitry) (e.g., the processor), memory (e.g., random access memory (RAM)) (not shown), input and output device(s) (e.g., the non-persistent storage), non-volatile storage hardware (e.g., solid-state drives (SSDs), persistent memory (Pmem) devices, hard disk drives (HDDs) (not shown)), one or more physical interfaces (e.g., network ports, storage ports) (e.g., the persistent storage), any number of other hardware components (not shown), and/or any combination thereof. As used herein, a processor may be any component that can be configured to execute operations, processes, threads, and the like. In some examples, a computing device (e.g., the computing device) may include any number of heterogeneous processors.

600 612 610 608 The computing devicemay include a communication interface(e.g., Bluetooth interface, infrared interface, network interface, optical interface, any other type of communication interface), input devices, output devices, and numerous other elements (not shown) and functionalities. Each of these components is described below.

602 602 600 602 602 602 600 6 FIG. In one or more examples, the computer processor(s)may be an integrated circuit for processing instructions. For example, the computer processor(s) may be one or more cores or micro-cores of a processor. The processormay be a general-purpose processor configured to execute program code included in software executing on the computing device. The processormay be a special purpose processor where certain instructions are incorporated into the processor design. The processormay be a central processing unit (CPU), a multi-core CPU, an application specific integrated circuit (ASIC), a graphics processing unit (GPU), a data processing unit (DPU), a tensor processing units (TPU), an associative processing unit (APU), a vision processing units (VPU), a quantum processing unit (QPU), and/or various other processing units that use special purpose hardware (e.g., field programmable gate arrays (FPGAs), System-on-a-Chips (SOCs), digital signal processors (DSPs)). Although only one processoris shown in, the computing devicemay include any number of processors without departing from the scope of examples disclosed herein.

600 610 610 600 600 608 602 604 606 600 The computing devicemay also include one or more input devices, such as a touchscreen, keyboard, mouse, microphone, touchpad, electronic pen, motion sensor, or any other type of input device. The input devicesmay allow a user to interact with the computing device. In one or more examples, the computing devicemay include one or more output devices, such as a screen (e.g., a liquid crystal display (LCD), a plasma display, touchscreen, cathode ray tube (CRT) monitor, projector, or other display device), a printer, external storage, or any other output device. One or more of the output devices may be the same or different from the input device(s). The input and output device(s) may be locally or remotely connected to the computer processor(s), non-persistent storage, and persistent storage. Many different types of computing devices exist, and the aforementioned input and output device(s) may take other forms. In some instances, multimodal systems can allow a user to provide multiple types of input/output to communicate with the computing device.

612 600 612 612 600 Further, the communication interfacemay facilitate connecting the computing deviceto a network (not shown) (e.g., a local area network (LAN), a wide area network (WAN) such as the Internet, mobile network, or any other type of network) and/or to another device, such as another computing device. The communication interfacemay perform or facilitate receipt and/or transmission of wired or wireless communications using wired and/or wireless transceivers of any type and/or technology. Examples include, but are not limited to, those making use of an audio jack/plug, a microphone jack/plug, a universal serial bus (USB) port/plug, an Apple® Lightning® port/plug, an Ethernet port/plug, a fiber optic port/plug, a proprietary wired port/plug, a Bluetooth® wireless signal transfer, a BLE wireless signal transfer, an IBEACON® wireless signal transfer, an RFID wireless signal transfer, near-field communications (NFC) wireless signal transfer, dedicated short range communication (DSRC) wireless signal transfer, 802.11 WiFi wireless signal transfer, WLAN signal transfer, Visible Light Communication (VLC), Worldwide Interoperability for Microwave Access (WiMAX), IR communication wireless signal transfer, Public Switched Telephone Network (PSTN) signal transfer, Integrated Services Digital Network (ISDN) signal transfer, 3G/4G/5G/LTE cellular data network wireless signal transfer, ad-hoc network signal transfer, radio wave signal transfer, microwave signal transfer, infrared signal transfer, visible light signal transfer, ultraviolet light signal transfer, wireless signal transfer along the electromagnetic spectrum, or some combination thereof. The communications interfacemay also include one or more Global Navigation Satellite System (GNSS) receivers or transceivers that are used to determine a location of the computing devicebased on receipt of one or more signals from one or more satellites associated with one or more GNSS systems. GNSS systems include, but are not limited to, the US-based GPS, the Russia-based Global Navigation Satellite System (GLONASS), the China-based BeiDou Navigation Satellite System (BDS), and the Europe-based Galileo GNSS. There is no restriction on operating on any particular hardware arrangement, and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.

The term computer-readable medium includes, but is not limited to, portable or non-portable storage devices, optical storage devices, and various other mediums capable of storing, containing, or carrying instruction(s) and/or data. A computer-readable medium may include a non-transitory medium in which data can be stored and that does not include carrier waves and/or transitory electronic signals propagating wirelessly or over wired connections. Examples of a non-transitory medium may include, but are not limited to, a magnetic disk or tape, optical storage media such as CD or DVD, flash memory, memory or memory devices. A computer-readable medium may have stored thereon code and/or machine-executable instructions that may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, and the like may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, or the like.

600 All or any portion of the components of the computing devicemay be implemented in circuitry. For example, the components can include and/or can be implemented using electronic circuits or other electronic hardware, which can include one or more programmable electronic circuits (e.g., microprocessors, GPUs, DSPs, FPGAs, CPUs, CAMs, and/or other suitable electronic circuits), and/or can include and/or be implemented using computer software, firmware, or any combination thereof, to perform the various operations described herein. In some aspects, the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.

In the above description, numerous details are set forth as examples described herein. It will be understood by those skilled in the art (who also have the benefit of this disclosure) that one or more examples described herein may be practiced without these specific details, and that numerous variations or modifications may be possible without departing from the scope of the examples described herein. Certain details known to those of ordinary skill in the art may be omitted to avoid obscuring the description.

Specific details are provided in the description above to provide a thorough understanding of the aspects and examples provided herein. However, it will be understood by one of ordinary skill in the art that the aspects and examples may be practiced without these specific details. For clarity of explanation, in some instances the present technology may be presented as including functional blocks that may include devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software. Additional components may be used other than those shown in the figures and/or described herein. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the aspects in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the aspects of examples disclosed herein.

Individual aspects may be described above as a process or method which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart or flow diagram may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process may be terminated when its operations are completed, but may have additional steps not included in a drawing. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, and the like. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function.

Processes and methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media. Such instructions can include, for example, instructions and data which cause or otherwise configure a general-purpose computer, special purpose computer, a network device, or a processing device (e.g., one or more processors) to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, source code, and the like. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.

In the above description of the figures, any component described with regard to a figure, in various examples described herein, may be equivalent to one or more same or similarly named and/or numbered components described with regard to any other figure. For brevity, descriptions of these components may not be repeated with regard to each figure. Thus, each and every example of the components of each figure is incorporated by reference and assumed to be optionally present within every other figure having one or more same or similarly named and/or numbered components. Additionally, in accordance with various examples described herein, any description of the components of a figure is to be interpreted as an optional example, which may be implemented in addition to, in conjunction with, or in place of the examples described with regard to a corresponding one or more same or similarly named and/or numbered component in any other figure.

Throughout the application, ordinal numbers (e.g., first, second, third) may be used as an adjective for an element (i.e., any noun in the application). The use of ordinal numbers is not to imply or create any particular ordering of the elements, nor to limit any element to being only a single element unless expressly disclosed, such as by the use of the terms “before”, “after”, “single”, and other such terminology. Rather, the use of ordinal numbers is to distinguish between the elements. By way of an example, a first element is distinct from a second element, and the first element may encompass more than one element and succeed (or precede) the second element in an ordering of elements.

As used herein, the phrase operatively connected, operative connection, and variations thereof, means that there exists between elements/components/devices a direct or indirect connection that allows the elements to interact with one another in some way. For example, the phrase ‘operatively connected’ may refer to any direct (e.g., wired directly between two devices or components) or indirect (e.g., wired and/or wireless connections between any number of devices or components connecting the operatively connected devices) connection. Thus, any path through which information may travel may be considered an operative connection.

While examples discussed herein have been described with respect to a limited number of examples, those skilled in the art, having the benefit of this disclosure, will appreciate that other examples can be devised which do not depart from the scope of examples as disclosed herein. Accordingly, the scope of examples described herein should be limited only by the attached claims.